IDMEF File Zoom¶Alert
- Additional Data
The File Class¶
The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute.
The File class is composed of eleven aggregate classes:¶
Exactly one. STRING. The name of the file to which the alert applies, not including the path to the file.
Exactly one. STRING. The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
For Windows systems, the path should be specified using the Universal Naming Convention (UNC) for remote files, and using a drive letter for local files (e.g., "C:\boot.ini"). For Unix systems, paths on network file systems should use the name of the mounted resource instead of the local mount point (e.g., "fileserver:/usr/local/bin/foo"). The mount point can be provided using the <Linkage> element.
Zero or one. DATETIME. Time the file was created. Note that this is not the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.
Zero or one. DATETIME. Time the file was last modified.
Zero or one. DATETIME. Time the file was last accessed.
Zero or one. INTEGER. The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).
Zero or one. INTEGER. The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).
Zero or more. Access permissions on the file.
Zero or more. File system objects to which this file is linked (other references for the file).
Zero or one. Inode information for this file (relevant to Unix).
Zero or more. Checksum information for this file.
The File class has four attributes:¶
Optional. A unique identifier for this file.
Required. The context for the information being provided. The permitted values are shown below. There is no default value.
Rank Keyword Description 0 current The file information is from after the reported 1 original The file information is from before the reported change
Optional. The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.
Rank Keyword Description 0 ufs Berkeley Unix Fast File System 1 efs Linux "efs" file system 2 nfs Network File System 3 afs Andrew File System 4 ntfs Windows NT File System 5 fat16 16-bit Windows FAT File System 6 fat32 32-bit Windows FAT File System 7 pcfs "PC" (MS-DOS) file system on CD-ROM 8 joliet Joliet CD-ROM file system 9 iso9660 ISO 9660 CD-ROM file system
Optional. The type of file, as a mime-type.
The FileAccess Class¶
The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems.
The FileAccess class is composed of two aggregate classes:¶
Exactly one. The user (or group) to which these permissions apply. The value of the "type" attribute must be "user-privs", "group-privs", or "other-privs" as appropriate. Other values for "type" MUST NOT be used in this context.
One or more. ENUM. Level of access allowed. The permitted values are shown below. There is no default value.
Rank Keyword Description 0 noAccess No access at all is allowed for this user 1 read This user has read access to the file 2 write This user has write access to the file 3 execute This user has the ability to execute the file 4 search This user has the ability to search this file (applies to "execute" permission on directories in Unix) 5 delete This user has the ability to delete this file 6 executeAs This user has the ability to execute this file as another user 7 changePermissions This user has the ability to change the access permissions on this file 8 takeOwnership This user has the ability to take ownership of this file
The "changePermissions" and "takeOwnership" strings represent those concepts in Windows. On Unix, the owner of the file always has "changePermissions" access, even if no other access is allowed for that user. "Full Control" in Windows is represented by enumerating the permissions it contains. The "executeAs" string represents the set-user-id and set-group-id features in Unix.
The Linkage Class¶
The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate.
The Linkage class is composed of three aggregate classes:¶
Exactly one. STRING. The name of the file system object, not including the path.
Exactly one. STRING. The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
Exactly one. A <File> element may be used in place of the <name> and <path> elements if additional information about the file is to be included.
The Linkage class has one attribute:¶
The type of object that the link describes. The permitted values are shown below. There is no default value.
Rank Keyword Description 0 hard-link The <name> element represents another name for this file. This information may be more easily obtainable on NTFS file systems than others. 1 mount-point An alias for the directory specified by the parent's <name> and <path> elements. 2 reparse-point Applies only to Windows; excludes symbolic links and mount points, which are specific types of reparse points. 3 shortcut The file represented by a Windows "shortcut". A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager. 4 stream An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity that is considered an extension of the main <File>. 5 symbolic-link The <name> element represents the file to which the link points.
The Inode Class¶
The Inode class is used to represent the additional information contained in a Unix file system i-node.
The Inode class is composed of six aggregate classes:¶
Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat".
Zero or one. INTEGER. The inode number.
Zero or one. INTEGER. The major device number of the device the file resides on.
Zero or one. INTEGER. The minor device number of the device the file resides on.
Zero or one. INTEGER. The major device of the file itself, if it is a character special device.
Zero or one. INTEGER. The minor device of the file itself, if it is a character special device.
Note that <number>, <major-device>, and <minor-device> must be given together, and the <c-major-device> and <c-minor-device> must be given together.
The Checksum Class¶
The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others.
The checksum class is composed of two aggregate classes:¶
Exactly one. STRING. The value of the checksum.
Zero or one. STRING. The key to the checksum, if appropriate.
The Checksum class has one attribute:¶
The cryptographic algorithm used for the computation of the checksum. The permitted values are shown below. There is no default value.
Rank Keyword Description 0 MD4 The MD4 algorithm. 1 MD5 The MD5 algorithm. 2 SHA1 The SHA1 algorithm. 3 SHA2-256 The SHA2 algorithm with 256 bits length. 4 SHA2-384 The SHA2 algorithm with 384 bits length. 5 SHA2-512 The SHA2 algorithm with 512 bits length. 6 CRC-32 The CRC algorithm with 32 bits length. 7 Haval The Haval algorithm. 8 Tiger The Tiger algorithm. 9 Gost The Gost algorithm.